Flame surveillance worm 'most complex threat ever'

Two-year rampage in Middle East.

A worm described as ‘the most sophisticated cyber weapon yet unleashed' has been detected attacking nations in the Middle East.

Iran's Computer Emergency Response Team (CCCERT) said yesterday the malware could be linked to "mass breaches" in the country and was related to infamous malware application Stuxnet and Duqu.

It had attacked predominantly Middle Eastern countries including Iran, Israel and Syria.

Flame (Worm.Win32.Flame) had existed since 2010 and spread via removable media according to the CERT and by exploiting a patched Microsoft printer hole -- the same tapped by Stuxnet.

It contained a backdoor and trojan and had worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so.

Kaspersky Labs researcher Alex Gostev said it was "one of the most complex threats ever discovered".

Once a system is infected, Flame would sniff network traffic, taking screenshots, recording audio conversations, intercepting the keyboard and other actions, which is passed on to the operators through the link to Flame's command and control (C&C) servers.

“Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects ... we believe Flame to be a parallel project, created as a fallback in case some other project is discovered,” Gostev said.

Flame was 20 Mb in size, dwarfing Stuxnet by a factor of 20.

It combined different libraries including some for compression (zlib, libbz2, ppmd), for database manipulation (sqlite3) and a LUA virtual machine -- the programming language of which many of its parts are written.

Gostev said the malware concealed itself within large amounts of code.

Flame could send recorded data to the C&C through a covert SSL channel, regularly take screenshots, and collect data on Bluetooth discoverable devices and turn the infected machine into a beacon.

Take part in discussions with comments on blogs, news and reviews; receive all the latest industry news directly to your inbox and tailor make your information specifically to your interests. Join now for free.

Please check your email

A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.

If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.